Fix Unnecessarily Adding Default Security User

Fixes gh-2567

Fix Unnecessarily Adding Default Security User
Fixes gh-2567
760d6ece · Rob Winch · 50e1f805 · 760d6ece · 760d6ece
Commit 760d6ece authored Mar 02, 2015 by Rob Winch
Showing with 106 additions and 13 deletions

AuthenticationManagerConfiguration.java ...onfigure/security/AuthenticationManagerConfiguration.java +50 -12

SecurityAutoConfigurationTests.java ...utoconfigure/security/SecurityAutoConfigurationTests.java +56 -1

No files found.
--- a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/AuthenticationManagerConfiguration.java
+++ b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/AuthenticationManagerConfiguration.java
@@ -43,6 +43,7 @@ import org.springframework.security.config.annotation.SecurityConfigurer;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
 import org.springframework.security.config.annotation.authentication.configurers.GlobalAuthenticationConfigurerAdapter;
+import org.springframework.security.config.annotation.authentication.configurers.provisioning.InMemoryUserDetailsManagerConfigurer;
 import org.springframework.stereotype.Component;

 /**
@@ -137,21 +138,58 @@ public class AuthenticationManagerConfiguration {

 		@Override
 		public void init(AuthenticationManagerBuilder auth) throws Exception {
+			auth.apply(new DefaultingInMemoryUserDetailsManagerConfigurer(this.security));
+		}
+
+		/**
+		 * This is necessary to delay adding the default user.
+		 *
+		 * <ul>
+		 * <li>A GlobalAuthenticationConfigurerAdapter will initialize the
+		 * AuthenticationManagerBuilder with a Configurer which will be after any
+		 * GlobalAuthenticationConfigurerAdapter</li>
+		 * <li>BootDefaultingAuthenticationConfigurerAdapter will be invoked after all
+		 * GlobalAuthenticationConfigurerAdapter, but before the Configurers that were
+		 * added by other GlobalAuthenticationConfigurerAdapter instances</li>
+		 * <li>BootDefaultingAuthenticationConfigurerAdapter will add
+		 * DefaultingInMemoryUserDetailsManagerConfigurer after all Configurer instances</li>
+		 * <li>All init methods will be invoked</li>
+		 * <li>All configure methods will be invoked which is where the
+		 * AuthenticationProvider instances are setup</li>
+		 * <li>If no AuthenticationProviders were provided,
+		 * DefaultingInMemoryUserDetailsManagerConfigurer will default the value</li>
+		 * </ul>
+		 *
+		 * @author Rob Winch
+		 */
+		private static class DefaultingInMemoryUserDetailsManagerConfigurer extends
+				InMemoryUserDetailsManagerConfigurer<AuthenticationManagerBuilder> {
+			private final SecurityProperties security;
+
+			public DefaultingInMemoryUserDetailsManagerConfigurer(
+					SecurityProperties security) {
+				this.security = security;
+			}
+
+			@Override
+			public void configure(AuthenticationManagerBuilder auth) throws Exception {
 				if (auth.isConfigured()) {
 					return;
 				}

 				User user = this.security.getUser();
 				if (user.isDefaultPassword()) {
-				logger.info("\n\nUsing default security password: " + user.getPassword()
-						+ "\n\n");
+					logger.info("\n\nUsing default security password: "
+							+ user.getPassword() + "\n");
 				}

 				Set<String> roles = new LinkedHashSet<String>(user.getRole());
-			auth.inMemoryAuthentication().withUser(user.getName())
-					.password(user.getPassword())
-					.roles(roles.toArray(new String[roles.size()]));
-		}
+				withUser(user.getName()).password(user.getPassword()).roles(
+						roles.toArray(new String[roles.size()]));
+
+				super.configure(auth);
 			}

+		}
+	}
 }
\ No newline at end of file
--- a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SecurityAutoConfigurationTests.java
+++ b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SecurityAutoConfigurationTests.java
 /*
- * Copyright 2012-2014 the original author or authors.
+ * Copyright 2012-2015 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -40,6 +40,7 @@ import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.authentication.event.AbstractAuthenticationEvent;
 import org.springframework.security.authentication.event.AuthenticationFailureBadCredentialsEvent;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.authentication.configurers.GlobalAuthenticationConfigurerAdapter;
@@ -226,6 +227,60 @@ public class SecurityAutoConfigurationTests {
 		assertNotNull(this.context.getBean(JpaTransactionManager.class));
 	}

+	@Test
+	public void testDefaultUsernamePassword() throws Exception {
+		this.context = new AnnotationConfigWebApplicationContext();
+		this.context.setServletContext(new MockServletContext());
+
+		this.context.register(SecurityAutoConfiguration.class,
+				ServerPropertiesAutoConfiguration.class);
+		this.context.refresh();
+
+		SecurityProperties security = this.context.getBean(SecurityProperties.class);
+		AuthenticationManager manager = this.context.getBean(AuthenticationManager.class);
+
+		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
+				security.getUser().getName(), security.getUser().getPassword());
+		assertNotNull(manager.authenticate(token));
+	}
+
+	@Test
+	public void testCustomAuthenticationDoesNotAuthenticateWithBootSecurityUser()
+			throws Exception {
+		this.context = new AnnotationConfigWebApplicationContext();
+		this.context.setServletContext(new MockServletContext());
+
+		this.context.register(AuthenticationManagerCustomizer.class,
+				SecurityAutoConfiguration.class, ServerPropertiesAutoConfiguration.class);
+		this.context.refresh();
+
+		SecurityProperties security = this.context.getBean(SecurityProperties.class);
+		AuthenticationManager manager = this.context.getBean(AuthenticationManager.class);
+
+		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
+				security.getUser().getName(), security.getUser().getPassword());
+		try {
+			manager.authenticate(token);
+			fail("Expected Exception");
+		}
+		catch (AuthenticationException success) {
+		}
+
+		token = new UsernamePasswordAuthenticationToken("foo", "bar");
+		assertNotNull(manager.authenticate(token));
+	}
+
+	private static final class AuthenticationListener implements
+			ApplicationListener<AbstractAuthenticationEvent> {
+
+		private ApplicationEvent event;
+
+		@Override
+		public void onApplicationEvent(AbstractAuthenticationEvent event) {
+			this.event = event;
+		}
+	}
+
 	@Configuration
 	@TestAutoConfigurationPackage(City.class)
 	protected static class EntityConfiguration {